Bug 10635 - Office365 azure Password Sync not working
Summary: Office365 azure Password Sync not working
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: 4.12.0
Hardware: x64 Linux
: P5 major (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-05-27 13:58 UTC by Michael Schobel-Thoma
Modified: 2020-10-23 18:19 UTC (History)
9 users (show)

See Also:


Attachments
Event ID 611 Log (3.33 KB, text/plain)
2020-03-05 13:41 UTC, Khader Welaye
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Schobel-Thoma 2014-05-27 13:58:53 UTC
OS: Ubuntu 14.04 - MS Azure Password Sync to Office 365.

When I start the sync in samba log appears a kerberos WRONG PARAM Error and Azure is logging the following:

Password synchronization failed for domain: domain.com. Details: 
Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Unable to open connection to domain: domain.com. Error: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsCommunicationException: RPC Error 1728 : A remote procedure call (RPC) protocol error occurred. Error creating DRS context handle.
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.DrsBind(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle, _GUID sourceDsaGuid, _DRS_EXTENSIONS_INT* clientExtensions, _DRS_EXTENSIONS** serverExtensions, RpcBindingSecurityCallbackHandler securityCallback)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.CreateDrsHandle(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain)
   --- End of inner exception stack trace ---
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.EstablishConnection()
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.Connect()
   at Microsoft.Online.PasswordSynchronization.RetryUtility.<>c__DisplayClass1.<ExecuteWithRetry>b__0()
   at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy)
   at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry(Action operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy)
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection)
   --- End of inner exception stack trace ---
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection)
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.CreateConnection()
   at Microsoft.Online.PasswordSynchronization.RecoveryTask.SynchronizeCredentialsToCloud()
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets()
   at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain()
   at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext)
Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Unable to open connection to domain: domain.com. Error: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsCommunicationException: RPC Error 1728 : A remote procedure call (RPC) protocol error occurred. Error creating DRS context handle.
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.DrsBind(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle, _GUID sourceDsaGuid, _DRS_EXTENSIONS_INT* clientExtensions, _DRS_EXTENSIONS** serverExtensions, RpcBindingSecurityCallbackHandler securityCallback)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.CreateDrsHandle(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain)
   --- End of inner exception stack trace ---
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.EstablishConnection()
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.Connect()
   at Microsoft.Online.PasswordSynchronization.RetryUtility.<>c__DisplayClass1.<ExecuteWithRetry>b__0()
   at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy)
   at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry(Action operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy)
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection)
   --- End of inner exception stack trace ---
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection)
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.CreateConnection()
   at Microsoft.Online.PasswordSynchronization.RecoveryTask.SynchronizeCredentialsToCloud()
  at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets()
   at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain()
   at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext)
Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Unable to open connection to domain: domain.com. Error: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsCommunicationException: RPC Error 1728 : A remote procedure call (RPC) protocol error occurred. Error creating DRS context handle.
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.DrsBind(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle, _GUID sourceDsaGuid, _DRS_EXTENSIONS_INT* clientExtensions, _DRS_EXTENSIONS** serverExtensions, RpcBindingSecurityCallbackHandler securityCallback)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.CreateDrsHandle(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain)
   --- End of inner exception stack trace ---
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.EstablishConnection()
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.Connect()
   at Microsoft.Online.PasswordSynchronization.RetryUtility.<>c__DisplayClass1.<ExecuteWithRetry>b__0()
   at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy)
   at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry(Action operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy)
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection)
   --- End of inner exception stack trace ---
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection)
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.CreateConnection()
   at Microsoft.Online.PasswordSynchronization.RecoveryTask.SynchronizeCredentialsToCloud()
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets()
   at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain()
   at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext)
Comment 1 Tommie Van Mechgelen 2015-05-05 14:59:49 UTC
Hi,

I am experiencing the same problem when using DirSync with Azure/Office 365.  I am currently running Samba 4.2.1 compiled from source.

Are we missing some RPC calls to have this working in Samba?

Password synchronization failed for domain: domain.com. Details: 
Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Unable to open connection to domain: domain.com. Error: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 1727 : The remote procedure call failed and did not execute. Error creating DRS context handle.
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.DrsBind(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle, _GUID sourceDsaGuid, _DRS_EXTENSIONS_INT* clientExtensions, _DRS_EXTENSIONS** serverExtensions, RpcBindingSecurityCallbackHandler securityCallback)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.CreateDrsHandle(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain)
   --- End of inner exception stack trace ---
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.EstablishConnection()
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.Connect()
   at Microsoft.Online.PasswordSynchronization.RetryUtility.<>c__DisplayClass1.<ExecuteWithRetry>b__0()
   at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy)
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection)
   --- End of inner exception stack trace ---
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection)
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.CreateConnection()
   at Microsoft.Online.PasswordSynchronization.RecoveryTask.SynchronizeCredentialsToCloud()
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets()
   at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain()
   at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext)
Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Unable to open connection to domain: domain.com. Error: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 1727 : The remote procedure call failed and did not execute. Error creating DRS context handle.
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.DrsBind(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle, _GUID sourceDsaGuid, _DRS_EXTENSIONS_INT* clientExtensions, _DRS_EXTENSIONS** serverExtensions, RpcBindingSecurityCallbackHandler securityCallback)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.CreateDrsHandle(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain)
   --- End of inner exception stack trace ---
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.EstablishConnection()
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.Connect()
   at Microsoft.Online.PasswordSynchronization.RetryUtility.<>c__DisplayClass1.<ExecuteWithRetry>b__0()
   at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy)
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection)
   --- End of inner exception stack trace ---
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection)
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.CreateConnection()
   at Microsoft.Online.PasswordSynchronization.RecoveryTask.SynchronizeCredentialsToCloud()
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets()
   at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain()
   at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext)
Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Unable to open connection to domain: domain.com. Error: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: There was an error creating the connection context. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 1727 : The remote procedure call failed and did not execute. Error creating DRS context handle.
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.DrsBind(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle, _GUID sourceDsaGuid, _DRS_EXTENSIONS_INT* clientExtensions, _DRS_EXTENSIONS** serverExtensions, RpcBindingSecurityCallbackHandler securityCallback)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnectionContext.CreateDrsHandle(Void* rpcBindingHandle, SafePointer<_SEC_WINNT_AUTH_IDENTITY_W> authHandle)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain)
   --- End of inner exception stack trace ---
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.CreateConnectionContext(SourceDomainController sourceDomain)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.EstablishConnection()
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.Connect()
   at Microsoft.Online.PasswordSynchronization.RetryUtility.<>c__DisplayClass1.<ExecuteWithRetry>b__0()
   at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy)
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection)
   --- End of inner exception stack trace ---
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.OpenConnection(IDrsConnection connection)
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.CreateConnection()
   at Microsoft.Online.PasswordSynchronization.RecoveryTask.SynchronizeCredentialsToCloud()
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets()
   at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain()
   at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext)
.
Comment 2 tf 2016-03-22 14:47:21 UTC
Same problem with a uptodate samba on a archlinux box.

What is needed to get ad azure sync working on samba?

Best regard

Torsten Fohrer
Comment 3 Alex MacCuish 2016-09-03 10:40:51 UTC
The new AAD Connect gives me the following error:

Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Recovery task failed. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8420 : The naming context could not be found. There was an error calling _IDL_DRSGetNCChanges.
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnReplicateSingleObject(DsName directoryName)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.ReplicateSingleObject(Guid objectGuid, String distinguishedName)
   at Microsoft.Online.PasswordSynchronization.RecoveryTask.<>c__DisplayClass9.<RetrieveObjectChangesFromAD>b__3(IDrsConnection c)
   at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy)
   at Microsoft.Online.PasswordSynchronization.RecoveryTask.RetrieveObjectChangesFromAD(List`1 retryObjects)
   at Microsoft.Online.PasswordSynchronization.RecoveryTask.SynchronizeCredentialsToCloud()
   --- End of inner exception stack trace ---
   at Microsoft.Online.PasswordSynchronization.RecoveryTask.SynchronizeCredentialsToCloud()
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets()
   at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain()
   at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext)
Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Recovery task failed. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8420 : The naming context could not be found. There was an error calling _IDL_DRSGetNCChanges.
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnReplicateSingleObject(DsName directoryName)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.ReplicateSingleObject(Guid objectGuid, String distinguishedName)
   at Microsoft.Online.PasswordSynchronization.RecoveryTask.<>c__DisplayClass9.<RetrieveObjectChangesFromAD>b__3(IDrsConnection c)
   at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy)
   at Microsoft.Online.PasswordSynchronization.RecoveryTask.RetrieveObjectChangesFromAD(List`1 retryObjects)
   at Microsoft.Online.PasswordSynchronization.RecoveryTask.SynchronizeCredentialsToCloud()
   --- End of inner exception stack trace ---
   at Microsoft.Online.PasswordSynchronization.RecoveryTask.SynchronizeCredentialsToCloud()
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets()
   at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain()
   at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext)
.
Comment 4 Andrew Bartlett 2016-09-03 10:43:03 UTC
Please retry with Samba 4.5, as we fixed ReplicateSingleObject for that release.
Comment 5 Michal Dejmek 2016-09-20 09:50:38 UTC
The same bug in version 4.5.0.
Comment 6 Khader Welaye 2020-03-05 13:35:08 UTC
I know this bug has been open for a long time, but Password Hash Synchronization in Azure AD Connect is still broken. AADConnect event logging shows the following:

RPC Error 8420 : The naming context could not be found. There was an error calling _IDL_DRSGetNCChanges.

In Windows Server AD environments, this error is usually caused by missing Replicating Directory Changes / Replicating Directory Changes All permissions on the AAD sync service account, which is not the case here.

Setting the AADConnect Sign On method as Pass-through authentication instead is a usable workaround (where sign-in requests are passed back down to the DC instead of using the synced Password Hash in AAD). Password Hash Sync is preferable, since it would continue to provide sign on services if either the DC or the server hosting AADConnect went down.

OS: Zentyal Server Development Edition 6.1 (Based on Ubuntu)
Samba: 4.7 (Version included with distribution)

Looking up this issue online in various threads, Samba 4.8 is the latest version I've heard people report on this issue with. Please let me know if I can provide more information regarding this. I am assuming this issue still exists as of Samba 4.12, as I didn't see anything related in the change logs, but I haven't been able to test.
Comment 7 Khader Welaye 2020-03-05 13:41:00 UTC
Created attachment 15842 [details]
Event ID 611 Log

I thought I'd shove this in a text file instead of taking up more thread space.
Comment 8 Andrew Bartlett 2020-03-31 08:48:16 UTC
(In reply to Khader Welaye from comment #6)
Testing with a modern version would be the first step towards getting any resolution here.
Comment 9 heupink 2020-10-17 10:01:11 UTC
Using the microsoftś latest method "Azure AD Connect cloud provisioning" (Preview) with 4.12.8-SerNet-Debian-8.buster, we are getting this:

An on-premises agent reported errors in attempting to read the entry with this identifier: faa071f5-5924-4cd3-8f8e-0afc599b919b. [2020-10-17T09:48:20.8040421Z](92) Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8420 : The naming context could not be found. There was an error calling _IDL_DRSGetNCChanges. at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnReplicateSingleObject(DsName directoryName) at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.ReplicateSingleObject(Guid objectGuid, String distinguishedName) at Microsoft.Online.PasswordSynchronization.PasswordEnumerator.<>c__DisplayClass8_1.<RetrieveSingleObject>b__0() at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy) at Microsoft.Online.PasswordSynchronization.PasswordEnumerator.RetrieveSingleObject(Guid objectGuid, String distinguishedName) at Microsoft.ActiveDirectory.SynchronizationAgent.ActiveDirectory.ActiveDirectoryProvider.TryFetchPasswordDataForSingleObject(Guid objectGuid, Func`2 translationFunction, Resource& resource) at Microsoft.ActiveDirectory.SynchronizationAgent.ActiveDirectory.ActiveDirectoryProvider.AggregatePasswords(Guid objectGuid, IList`1 aggregate)

Next I will try to to get a level 10 debug log from this DC while this error occurs.
Comment 10 heupink 2020-10-17 11:53:00 UTC
Another observation: samba is running with continuous high CPU usage (50-60%) while the Azure AD Connect cloud provisioning server is running.
We shutdown the server, and CPU usage returns to normal (below 10%)
Comment 11 Ralph Böhme 2020-10-17 12:40:19 UTC
We've recently looked into this and the problem is that the Azure sync client is not able to replecate ceratin secret attributes including the passwords.

The reason for this is that basically the Samba DRSR RPC service doesn't correctly honor directory ACLs that would grant the required rights, instead it restricts the right to connected (RO)DCs.

To fix this someone has to dig into this and implement the correct security checks. I have a WIP patch but it's going to take at least a week or two of effort to write tests that teach us the correct behaviour of a Windows DC and then implement this in Samba.
Comment 12 Ralph Böhme 2020-10-19 09:57:40 UTC
(In reply to Ralph Böhme from comment #11)
Fwiw, using an account who's member of domain admins will also work.
Comment 13 heupink 2020-10-19 15:42:57 UTC
Really are you sure? We are running with a domain admin account configured in the Azure AD Connect cloud provisioning, and we're getting:

An on-premises agent reported errors in attempting to read the entry with this identifier: ce41b509-746c-45b1-8886-4f203c60. [2020-10-18T12:47:01.9891903Z](28) Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8420 : The naming context could not be found. There was an error calling _IDL_DRSGetNCChanges
Comment 14 Ralph Böhme 2020-10-19 15:52:05 UTC
(In reply to heupink from comment #13)
Hm, this looks totally different from what we've been seeing in very specific test setup with a Windows 2008R2 DC (at schema level 2012) and a Samba DC.
Comment 15 heupink 2020-10-19 16:01:27 UTC
I understand correctly that you ran your azure sync *ON* that Windows 2008R2 DC? Reading the microsoft docs, I understand this is not required. We are testing with a windows 2016 (domain member) server, NOT a DC.
Comment 16 Ralph Böhme 2020-10-19 16:18:49 UTC
(In reply to heupink from comment #15)
No, this was the DC we replicated from. This was used in an deliberate attempt to be able to compare replication between comparable Windows and Samba DCs, both being at at the same schema and functional level asf.

The Azure sync client was installed on a Win 10 box iirc.
Comment 17 Björn Jacke 2020-10-19 18:34:09 UTC
heupink: I think you are reporting a problem here that the initial bug report was not about. You mentioned "Azure AD Connect cloud provisioning (Preview)". Do you agree, that this is a different topic? If yes, please keep this bug report on the topic it was about. If you have a different issue with a new Azure software, please file a new bug.
Comment 18 heupink 2020-10-20 09:16:47 UTC
I considered this ticket to be on password hash synchronisation to Azure / O365. Through the years microsoft had different tools to do this job, the latest one being "cloud provisioning" server. And actually: I think the tool that the ticket originally was about (DirSync) is no longer supported by microsoft.

But all these tools seemed to run into the same/similar issue: RPC Error 8420 : The naming context could not be found.

Therefore I assumed that our finding are the same, or at least related or relevant.

On the mailinglist there seem to be very few (if any, recent) success-stories. 

However, reading Ralph Böhme's comments, it seems that perhaps it *is* supposed to work after all. So for now, I will start by putting more efforts into making it work here. Perhaps I'll first also test with a native microsoft AD DC.
Comment 19 heupink 2020-10-21 10:07:48 UTC
(In reply to Ralph Böhme from comment #12)

I just tried installing the (traditional, older style) Azure AD Connect with an account from the "domain admins" group, and it seems that is no longer supported:

https://docs.microsoft.com/nl-nl/azure/active-directory/hybrid/reference-connect-accounts-permissions:

"As of build 1.4.###.# it is no longer supported to use an enterprise admin or a domain admin account as the AD DS Connector account. If you attempt to enter an account that is an enterprise admin or domain admin when specifying use existing account, you will receive an error."

They installer will instead offer to create an account for you, and that is probably where this samba limitation becomes problematic: "DRSR RPC service doesn't correctly honor directory ACLs that would grant the required rights" (Ralph Böhme in comment #11)
Comment 20 Ralph Böhme 2020-10-21 10:15:55 UTC
(In reply to heupink from comment #19)
You can use any account and make it a member of domain admins.
Comment 21 Andrew Bartlett 2020-10-23 18:19:17 UTC
(In reply to heupink from comment #19)


I understand why they do it but is (from a security perspective) making people feel safer than they really are, as a user who can download password hashes (kerberos keys) for servers and krbtgt is a Domain Admin essentially anyway.